Do I misunderstand this section: "Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation." That sounds like you can be sued by any subject on their whim?
That is not how the EU works, in the US i would be very afraid reading that, in the EU nothing will happen if you do not violate in a spectacular way, and that, after many warnings. They are after companies tracking you across real estate and selling relevant data from their vast silos to companies that can market stuff to you. They tried many ways already to prevent this kind of practice in some countries but loopholes were found so this is the hammer. As a small company, if you answer and act on actual user complaints, you have no worries no matter what the language. It is not in their interest to go for small offences. And if your story is reasonable, like OP, they will just let it go.
What this gives the EU is the hammer to hit persistent abusers of user data. They want you to be careful with user data and not treat it like you own it; you do not. It is not yours to sell or share or publicize.
Edit; note as well that every country has a compliance office; if they know you are in complaince as in you are ‘good people’ (best effort, no giant holes etc; just best practice in our field which you should do anyway) they will not bother you with every (or any) user complaint after that. I have good experiences with this with far grave (and potentially criminally punishable) matters in a few EU countries.
It is reasonable to assume overreach by governing bodies will occur; this is no less true for the EU than for any national government. The EU is no less likely to misuse that hammer, intentionally or not.
"It is reasonable to assume overreach by governing bodies will occur"
No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.
Even then you probably won't. If it's an incident that happened despite of having taken the necessary precautions, you would probably get only a small fine or a warning.
These laws have been in place since 2016, they are going to start enforcing them starting the 25th. If you actually read anything about it from the source, it's clear it's setup against data abusers. It's not aimed at small businesses. If you don't do anything with user data, you don't even have to do anything. Like in the case of the OP. Aside from that, the EU doesn't have a history of overreaching/abusing power such as this. If this was US legislation your worries would be justified.
So we've gone from you can't, to you won't, to you almost certainly won't. I completely agree, I'm just saying the 1% possibility is something you have to live with.
